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Cn ' It is well known that no quantum bit commitment protocol is unconditionally secure. 

^^ ' Nonetheless, there can be non-trivial upper bounds on both Bob's probability of correctly 

C D ' estimating Alice's commitment and Alice's probability of successfully unveiling whatever 

^^ ^ bit she desires. In this paper, we seek to determine these bounds for generalizations of 

C !) , the BB84 bit commitment protocol. In such protocols, an honest Alice commits to 

a bit by randomly choosing a state from a specified set and submitting this to Bob, 
and later unveils the bit to Bob by announcing the chosen state, at which point Bob 
measures the projector onto the state. Bob's optimal cheating strategy can be easily 
deduced from well known results in the theory of quantum state estimation. We show 
how to understand Alice's most general cheating strategy, (which involves her submitting 
to Bob one half of an entangled state) in terms of a theorem of Hughston, Jozsa and 
Wootters. We also show how the problem of optimizing Alice's cheating strategy for a 
fixed submitted state can be mapped onto a problem of state estimation. Finally, using 
the Bloch ball representation of qubit states, we identify the optimal coherent attack 
for a class of protocols that can be implemented with just a single qubit. These results 
provide a tight upper bound on Alice's probability of successfully unveiling whatever bit 
she desires in the protocol proposed by Aharonov et al, and lead us to identify a qubit 
Ji^ ' protocol with even greater security. 

H , 

C^ Keywords: Quantum Cryptography, Bit Commitment, BB84, Two-party protocols 

Communicated by: to be filled by the Editorial 

1. Introduction 

Suppose Alice and Bob wish to play a game wherein Alice wins if she can correctly predict 
which of two mutually exclusive events will occur and Bob wins if she cannot. One way to 
play the game would be for Alice to tell Bob her prediction before the events in question. 
There are situations, however, where this is inappropriate. For instance, Bob might be able 
to influence the relative probability of the events in question (indeed, which of these events 
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2 Optimization of Coherent Attacks . . . 

occurs might be entirely up to Bob). In such cases, Alice wants Bob to know as little as 
possible about her prediction until some time after the occurrence of one of the events. Of 
course, Bob will still want to receive some sort of 'token' of Alice's prediction prior to the 
events in question, since otherwise Alice could always claim to have won the game. Thus, 
Alice and Bob would like a cryptographic protocol which forces Alice to 'commit' herself to a 
bit (which encodes her prediction), while ensuring that Bob can find out as little as possible 
about this bit until the time that Alice reveals it to him. This is a bit commitment(BC) 
protocol. In addition to the task of prediction described above, BC appears as a primitive in 
many other cryptographic tasks and is therefore of particular significance in cryptography. 

A simple example of an implementation of BC proceeds as follows. Alice writes a '0' or 
a '1' on a piece of paper, and locks this in a safe. She then sends the safe to Bob, but keeps 
the key. When it comes time to reveal her commitment, she sends the key to Bob, who opens 
the safe and discovers the value of the bit. This protocol binds Alice to the bit she chose at 
the outset since she cannot change what is written on the piece of paper after she submits 
the safe to Bob. However, it only conceals the bit from Bob if he is unable to pick the lock, 
or force the safe open, or image the contents of the safe. 

This paper focuses on a particular class of quantum BC protocols, specifically, general- 
izations of the BC protocol that was published by Bennett and Brassard in 1984 [1]. We 
shall refer to these as generalized BB84 BC protocols. Within such protocols, an honest Alice 
commits to a bit by choosing a state randomly from a specified set of states, and by subse- 
quently sending a system prepared in this state to Bob. She commits to a bit 1 by choosing 
the state from a different set. At the end of the protocol she reveals to Bob which state she 
submitted and Bob measures the projector onto this state to verify Alice's claim. 

Bob can cheat in such a protocol by performing a measurement on the systems submitted 
to him by Alice, prior to Alice revealing her commitment. The measurement that maximizes 
his probability of correctly estimating Alice's commitment can be determined from the well- 
known theory of state estimation [2] . 

Alice can cheat by preparing the system she initially submits to Bob in a state different 
from the ones specified by the protocol, in particular, by entangling this system with an 
ancilla system that she keeps in her possession, and by later performing a measurement on 
the ancilla and choosing the state which she announces to Bob based on the outcome of this 
measurement. This has been called a coherent attack, since in general such an attack requires 
Alice to maintain the coherence between the different possibilities in the random choice the 
protocol asks her to make. It has also been called an EPR-type attack, since in the original 
BB84 BC protocol, the optimal entangled state for Alice to prepare is the EPR state. The 
problem of determining the coherent attack that maximizes Alice's probability of successfully 
cheating has remained open to date. It is the goal of this paper to begin to answer this 
question. 

It has been shown by Mayers [3] and by Lo and Chau [4] that an unconditionally secure 
BC protocol does not exist [5]. In other words, it is not possible to devise a BC protocol 
that is arbitrarily concealing, that is, one for which Bob's probability of correctly estimating 
Alice's commitment is arbitrarily small, and arbitrarily binding, that is, one for which Alice's 
probability of revealing whatever bit she desires without being caught cheating is arbitrarily 
small. Nonetheless, there remain interesting questions to be answered about coherent attacks. 
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For instance, it is possible to have a BC protocol that is partially binding and partially 
concealing, wherein Alice and Bob's probabilities of successfully cheating are both bounded 
above [8]. Determining the optimal coherent attack is crucial to determining the degree of 
bindingness that can be achieved in such protocols. 

Coherent attacks are also important in other quantum cryptographic tasks between mis- 
trustful parties - such as coin tossing [9], cheat sensitive bit commitment [10], bit escrow [11] 
and quantum gambling [12] - wherein a type of bit commitment often appears as a subpro- 
tocol. Understanding how to optimize coherent attacks is therefore important for settling 
questions about the degree of security that can be achieved for such tasks. 

We summarize here the main results of the paper. The last four apply only to protocols 
that can be implemented using a single qubit. 

• We explain coherent attacks in terms of the well known theorem of Hughston, Jozsa 
and Wootters [13]. 

• We demonstrate that the problem of finding the optimal coherent attack for a fixed 
submitted state can be mapped onto a problem of state estimation which has a known 
solution [2]. 

• We show that the optimal state for a cheating Alice to submit has a support in the span 
of the supports of the set of states from which an honest Alice chooses. 

• We provide a simple geometrical picture on the Bloch sphere of coherent attacks. In 
addition to being useful for building one's intuitions about such attacks, this provides 
a convenient formalism within which to solve the optimization problem, as well as a 
geometrical criterion for whether or not Alice can cheat with probability 1 in a given 
protocol. 

• We find analytic expressions for the optimal cheating strategy in the case where the sets 
of states that an honest Alice chooses from each have no more than two elements. 

• Using these results, we determine Alice's optimal coherent attack in a BC protocol 
that was proposed by Aharonov et al. [11]. Our result provides a tight upper bound 
on Alice's probability of unveiling whatever bit she desires, improving upon the best 
previous known upper bound. This allows us to determine, for this protocol, the trade- 
off relation between a measure of the concealment and a measure of the bindingness. 
We show that the same trade-off relation can be achieved with several other protocols. 

• Finally, our results allow us to determine Alice's optimal coherent attack in a novel 
generalized BB84 BC protocol wherein the trade-off relation between concealment and 
bindingness is better than can be achieved with the protocol of Aharonov et al. 

The paper is organized as follows. In section 2, we provide an operational definition of bit 
commitment, define degrees of security, and describe the BB84 BC protocol and its generaliza- 
tions. In section 3, we introduce the notion of a convex decomposition of a density operator, 
review its properties, and demonstrate its significance for coherent attacks. In section 4, we 
formulate the optimization problem to be solved. Results for protocols involving systems of 
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arbitrary dimensionality and for protocols involving qubits are presented in sections 5 and 6 
respectively. Applications of these results are presented in section 7, and section 8 contains 
our concluding remarks. 

2. Bit Commitment 

2.1. An operational definition of Bit Commitment 

We begin by providing a definition of BC that is strictly operational, that is, one which only 
makes reference to the experimental operations carried out by the parties, and not to any 
concepts that are particular to a physical theory. This seems to us to be the most sensible way 
of proceeding for any information processing task, since such tasks can be defined indepen- 
dently of their physical implementation and consequently of any physical theory describing 
this implementation. Among other benefits, this approach allows one to characterize a phys- 
ical theory by the type of protocols which can be securely implemented within a universe 
described by that theory. 

A BC protocol is a cryptographic protocol between two mistrustful parties. It can be de- 
fined in terms of the characteristics of these parties' honest (i.e., non-cheating) strategies. We 
call the two parties Alice and Bob, and assume that Alice is the one making the commitment. 

The protocol is divided into three intervals, called the commitment phase, the holding 
phase and the unveiling phase. Each of these may involve many rounds of communication 
between Alice and Bob. The result of the protocol is one of three possibilities, denoted 
'0', '1' and 'fail'. Which of these has occurred is determined from the outcomes of all the 
measurements that an honest Bob has made throughout the protocol. The protocol specifies 
the strategy an honest Alice must adopt to commit to a bit b. It is such that if both parties are 
honest and Alice follows the strategy for committing a bit 0(1), the result of the protocol is 
necessarily 'O'('l'). It follows that if the outcome 'fail' occurs, an honest Bob can conclude that 
Alice must have cheated. The protocol must also be such that if both parties are honest, Alice 
does not, through actions taken after the end of the commitment phase, change the relative 
probability of the results '0' and '1' occurring, and Bob does not, prior to the beginning of 
the unveiling phase, gain any information about Alice's commitment. 

In the protocols we shall be considering, Alice will not always be caught when she cheats. 
Thus, it can happen that the result of the protocol is '6' even though Alice cheated and did 
not follow the honest strategy for committing a bit b. Indeed, Alice can, by cheating, change 
the relative probability of the '0' and '1' results by actions taken after the commitment phase. 
We shall say that 'Alice unveils bit 6' whenever the result of the protocol is '&.'^ 

2.2. Types of security 

To define the security of a BC protocol, one needs to quantify the notions of concealment 
against Bob and bindingness against Alice. In this paper, we focus upon the probability that 
Bob can, prior to the beginning of the unveiling phase, correctly estimate Alice's commit- 
ment (given that Alice is honest), and the probability that Alice can, after the end of the 

^ It is important to remember that within our terminology 'AHcc unveiling bit b' implies that she was not 
caught cheating. Thus in a generalized BB84 BC protocol, when Alice announces b to Bob, we say that Alice 
is attempting to unveil a bit b, but we only say that she has unveiled b if she passes Bob's test. 
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commitment phase, successfully unveil whatever bit she desires (given that Bob is honest). 
We denote these by Pe and Pjj respectively. Note that these probabilities vary with the 
cheating strategy used. In this paper, we shall only consider protocols wherein these are both 
equal to 1/2 for honest strategies.^ 

A bit commitment protocol is said to be arbitrarily binding if for all of Alice's strategies, P(j 
is bounded above by l/2+£, where e can be made arbitrarily small by increasing some security 
parameter in the protocol. It is said to be arbitrarily concealing if for all of Bob's strategies, 
Pe is bounded similarly. Although no BC protocol can be arbitrarily binding and arbitrarily 
concealing, both Pe and Pu can have non-trivial upper bounds (that is, upper bounds less 
than 1). We will refer to such protocols as partially binding and partially concealing. The 
maxima of Pe and Pjj for a given protocol, which we denote by P^^^ and P™^'^, quantify the 
degree of concealment and the degree of bindingness that can be achieved in this protocol. 

The implementation of BC using a safe, discussed in the introduction, is binding against 
Alice, but is only concealing against Bob if he has limited 'safe-cracking' resources. More 
useful implementations of bit commitment instead rely for concealment on the assumption 
that Bob has limited computational resources. Obviously, one would prefer that the security 
of the protocol not depend on the resources of either party, but rather only on the laws of 
physics and the integrity of the party's laboratories. A property of a protocol that has this 
feature is said to hold unconditionally. All the properties of protocols referred to in this paper, 
are properties which hold unconditionally. 

2.3. The BB84 BC protocol 

The first proposal for a quantum mechanical implementation of a BC protocol was made by 
Bennett and Brassard [1]. We refer to it as the BB84 BC protocol. This was recognized by 
its authors to have no bindingness against Alice. Nonetheless, we begin by reviewing this 
protocol, since it provides a simple example of the type of cheating strategy with which this 
paper will be concerned. 

Imagine a protocol wherein Alice submits a qubit to Bob during the commitment phase. 
To commit to a bit 0, she prepares the qubit in a state chosen uniformly from the set {|0) , |1)}, 
while to commit to a bit 1, she chooses from the set {|-|-) , |— )} , where |±) = (|0) ± |1)) /\/2- 
No measurement Bob can do is able to distinguish these two possibilities. At the unveiling 
phase, Alice can tell Bob which state she submitted, and Bob can do a measurement of 
the projector onto this state to verify her honesty. If Alice tries to convince Bob that she 
submitted a state drawn from the opposite set - for instance, that she submitted |-|-) when 
in fact she submitted |0) - then her probability of passing his test is only 1/2. The BB84 BC 
protocol demands that Alice repeat her commitment for N qubits, that is, that Alice either 
chooses each qubit's state uniformly from {|0) , |1)} or uniformly from {|+) , |— )}. Clearly, in 
this case her probability of passing Bob's test when she lies about her commitment is 1/2 . 



Pin most discussions of bit commitment, it is assumed that neither AHce nor Bob has any information at the 
commitment phase about which bit will be more beneficial for Alice to unveil. However, one must relax this 
assumption in order to consider a game wherein Alice predicts which of two events will occur given some prior 
information on their relative probability. The results of this paper can be generalized in a straightforward 
manner to apply to such a protocol. It suffices to replace Eq. (5) with Pu = poPuo +Pl^C/l) where pi, is the 
probability that Alice will wish to unveil bit b after the commitment phase, and to generalize all subsequent 
expressions accordingly. 
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So, with respect to strategies wherein Ahce cheats by lying about her commitment, such a 
protocol appears to be arbitrarily binding. 

However, Alice has another cheating strategy available to her. Prior to submitting a 
qubit to Bob, she can entangle it with a qubit that she keeps in her possession. Specifically, 
she prepares the two in the EPR state (|0) |1) — |1) |0)) /\/2- Given that this state can also 
be written as (|+) |— ) — |— ) |+))/\/2, it is clear that by measuring the {|0) , |1)} basis or 
(1+) 1 K)} basis on the qubit in her possession, she projects the qubit in Bob's possession 
into the {|0) , |1)} basis or {|+) , |— )} basis respectively. Moreover, the binary outcome of her 
measurement will be perfectly anti-correlated with the state of Bob's qubit. So Alice knows 
precisely which state to announce to Bob. Using this strategy, she can choose which bit she 
wants to unveil just prior to the unveiling phase, and always succeed at passing Bob's test. 
This is the so-called 'coherent' or 'EPR' attack. 

The analysis thus far leaves open the possibility that some other protocol using quantum 
primitives might succeed where the BB84 protocol failed. In fact, it has been shown that 
for the most general nonrelativistic protocol, unconditional security is not possible [3, 4, 9]. 
Nonetheless, there exist simple generalizations of the BB84 protocol that are both partially 
concealing and partially binding. 

2.4. Generalizations of the BB84 BC protocol 

A generalized BB84 BC protocol defines two sets of states {V'fe}i,li and {V'fe}i,li ^^^d corre- 
sponding probability distributions {Pfe}j,!i]^ and {Pfc}^.!]^ (note that the values of ng and rii 
need not be the same). In order to commit to bit h, an honest Alice chooses a state from 
{V'felfeLi using the distribution \Pk}k-^ and sends a system prepared in this state to Bob at 
the commitment phase. An honest Bob simply stores the system during the holding phase. 
At the unveiling phase, an honest Alice announces h and k to Bob, and he measures the pro- 
jector onto 1 7/;^) . If Alice passes Bob's test, she has succeeded in unveiling the bit 6, and the 
result of the protocol is '6'. Otherwise, she is caught cheating, and the result of the protocol 
is 'fail'.'^ 

To estimate Alice's commitment. Bob must estimate whether the system in his possession 
is described by po = YJk=iPt 1^") (V'fc| , or pi = YJl^=iPk \^k) {"^W ■ The problem of optimal 
state estimation has previously been studied in great detail [2] , and in particular the optimal 
measurement for discriminating two density operators is well known [14]. Using the optimal 
measurement, the maximum probability of Bob correctly estimating Alice's commitment is 

Pr'^ = ^ + jTr|po-pi|, (1) 



where |j4| = vA^^A. It follows that as long as po and pi do not have orthogonal supports, 
pmax jg strictly less than 1 and the protocol is partially concealing. 

The complementary problem, of determining P^'^^, the maximum probability of Alice 
unveiling whatever bit she desires, and the strategy which achieves this maximum, has re- 

^ It should be noted that the honest strategy for Alice to commit b that we have described is equivalent 
with respect to concealment to the following strategy: Alice couples the system she sends to Bob with a 
system she keeps in her possession (of dimension nj or greater) such that the two are in the entangled state 
^ZfeLiCPfe)"*^ \^) ^ I'/'fe) ' where the |A;) form an orthonormal basis. At the unveiling phase, she measures the 
basis \k) in order to determine what integer to announce to Bob. 
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mained open to date. Alice's most general strategy is of the following form. Prior to sending 
the system to Bob, she entangles it with a system she keeps in her possession. At the unveil- 
ing phase, she does one of two measurements on the system in her possession, depending on 
whether she is attempting to unveil a or a 1. She chooses what integer k to announce to 
Bob based on the outcome of this measurement. It follows that in order to determine P™^'^, 
we must optimize over the entangled state that Alice prepares, the two measurements she can 
perform and the announcement she makes to Bob given each possible outcome. We shall see 
that there exist generalized BB84 BC protocols where p^^^ is strictly less than 1, so that 
these protocols are partially binding. 

It will be useful to introduce a few mathematical concepts and results before turning to 
the optimization problem. 

3. Convex decompositions of a density operator 

3.1. Definition and properties of convex decompositions 

We begin by introducing a mathematical concept that will be critical for solving our problem. 
A convex decomposition {{qk, <^k)}k=i of a density operator p is a set of probabilities, qk, and 
distinct density operators, Cfe, such that 

n 

p = y^^qkO'k- 

k=l 

The (Tfc will be referred to as the elements of the convex decomposition. We use the term 
'convex' to distinguish this from a decomposition of a pure state into a sum of pure states, 
and from a decomposition of a density operator into general sums of operators, that is, sums 
of operators that are not necessarily positive. Nonetheless, we will throughout this paper use 
the term decomposition as a shorthand.'* 

Some terminology will be used in connection with convex decompositions. The elements 
that receive non-zero probability will be called the positively-weighted elements. A decompo- 
sition will be called extremal if its positively- weighted elements are all of rank 1 (i.e., if they 
are all pure states). A set of density operators will be called uncontractable if none of its 
members can be written as a convex decomposition of the others. A convex decomposition 
will be called uncontractable if its positively-weighted elements are uncontractable. Clearly, 
all extremal decompositions are uncontractable. Finally, a decomposition of p is trivial if its 
only positively-weighted element is p. 

Another concept that will be useful in the present investigation is a relation that holds 
between sets of density operators, and which we shall refer to as composable coincidence. Two 
sets of density operators {(T°} and {ct^} will be called eomposably coincident if there exist 
probability distributions {g^} and jq^} such that 



El^^-Ell-l 



k 



^ Note that previous authors have used the term p- ensemble to refer to a convex decomposition of p. 
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In other words, {c}?} and {cr^} are composably coincident if there exists a density operator 
which has a convex decomposition in terms of the ctJ? 's and a convex decomposition in terms 
of the cr^'s. 

It will also be useful to set forth a few well-known facts about convex decompositions [13]. 
A necessary and sufficient condition for a density operator a to appear in some convex decom- 
position of p is for the eigenvectors of a to be confined to the support of p. The cardinality of 
an extremal decomposition of p must be greater than or equal to the rank of p. Finally, there 
sometimes exists a prescription for obtaining the probability with which a particular element 
appears in a convex decomposition of a density operator. In convex decompositions of p con- 
taining orthogonal elements, the probability associated with an element a is fixed by p and 
tJ - it is simply Tr{(7p)/Tr (cr^j . However, for a general set of non-orthogonal elements {(Jk} 
that form a convex decomposition of p, the probabilities need not be unique; the same set of 
density operators {cFk} may appear in different convex decompositions of p. For instance, the 
completely mixed state in a 2d Hilbert space, J/2, has an indenumerably infinite number of 
convex decompositions with elements {|0) (0| , |1) (1| , |+) (+| , |— ) (— |}, since these yield a de- 
composition for every probability distribution of the form (^A, ^A, ^(l — A), ^(l — A)) where 
A lies between and 1. Nonetheless, a special case wherein the probabilities are unique is if 
the convex decomposition is extremal and of cardinality equal to the rank of p. In this case, a 
simple formula for the probability of a given element can be given. If {{qk, \£,k) {£,k\)} is such 
a decomposition, then the non-zero probabilities are given by Jaynes' rule [15], 

_ 1 

"" ~ (a|p-M6>' ^^^ 

where p^^ is the inverse of the restriction of p to its support (in other words, p^^ is obtained 
from p by inverting the non-zero eigenvalues in the spectral resolution of p) . 

3.2. The connection between convex decompositions and POVMs 

The most general measurement on a system in quantum mechanics is associated with a positive 
operator-valued measure(POVM). A POVM is a set of positive operators that sum to the 
identity operator, that is, a set {Ek} such that for every fc, {(t)\Ek\4)) > for all |0) G 7i, and 
Sfc ^k = I- Neumark's theorem [16] shows that every POVM on a system can be implemented 
by coupling to an ancilla system and performing projective measurements on the ancilla. As 
it turns out, there is a close mathematical connection between convex decompositions of p 
and POVMs, as was demonstrated by Hughston, Jozsa and Wootters [13]. 

Lemma There is a one-to-one map between the convex decompositions of p and the 
POVMs over the support of p. Specifically, the POVM {EkYk^i i^ associated with 
the decomposition {((/fej crfc)}fe=i defined by 

gfcCTfc = ^/pEk^. (3) 

Proof. It is trivial to see that {(<Zfc, crfe)})!^]^ is a decomposition of p by summing Eq. 3 
over fc and using the fact that ^j, Ek — /, where / is the identity operator on the support of 
p. That any decomposition of p is associated with some POVM over the support of p follows 
from the fact that J^ is invertible on the support of p. Specifically, if this inverse is denoted 



R. W. Spekkens and T. Rudolph 9 

by p^^/^ then the rcsohition {{qk,o'k)}k=i is associated with the POVM {Ek}^^i defined by 
Ek = gfep-i/Vfcp-i/^ D 

We say that the POVM {Ek}^^i generates the convex decomposition {{qt, <^k)}k=i- Note 
that we do not treat the technicalities associated with decompositions of infinite cardinality 
in this paper, however a discussion of these can be found in Cassinelli et al. [17]. 

3.3. The significance of convex decompositions to coherent attacks 

Suppose Alice and Bob share an entangled state for which p is the reduced operator on Bob's 
system. Prior to any measurements, the best Alice can do in predicting the outcomes of Bob's 
measurements is to use the density operator p in the Born rule. However, by virtue of the 
correlations between her system and Bob's, if she performs a measurement and takes note of 
the outcome, her ability to predict the outcomes of Bob's measurements will increase. Since 
all of the information that is relevant to Alice predicting the outcomes of Bob's measure- 
ments is encoded in a density operator, it follows that when she learns the outcome of her 
measurement, she should update the density operator with which she describes Bob's system. 
Suppose that the fcth outcome occurs with relative frequency qk, and leads Alice to update 
the density operator with which she describes Bob's system to Cfc. We say that the statistics 
of possible updates of Alice's description of Bob's system are given by {{qk, <^k)} , that is, a 
set of probabilities and density operators. 

As it turns out, the possibilities for these statistics are given by the convex decompositions 
of p. Specifically, we have: 

HJW Theorem For every measurement Alice can perform, the statistics of possible up- 
dates other description is given by some convex decomposition of p, and for every convex 
decomposition of p, there exists some measurement for which the statistics of possible 
updates is given by that decomposition. 

This was first demonstrated for extremal convex decompositions by Hughston, Jozsa and 
Wootters [13], and it is straightforward to generalize the proof to arbitrary convex decompo- 
sitions. Since this theorem is the key to coherent attacks, we present the generalized proof 
here. 

Proof. Suppose Alice and Bob share a state \ip) that is a purification of p (a normalized 
vector in Ha ^ Hb satisfying Tr^i {\^p) {tpD = p). li the non-zero eigenvalues of p are denoted 
by Xj, and {[cj)} is a set of normalized eigenvectors associated with these eigenvalues, then 
IV") can always be written as 

3 

where {|/j)} is a set of orthonormal vectors for Alice's system. This way of writing \ip) is 
known as the bi-orthogonal or Schmidt decomposition. 

We begin by specifying the measurement that Alice must do on her system in order to 
have her statistics of possible updates given by the convex decomposition {{qk,o'k)} of p. If 
the POVM on Bob's system that generates this decomposition is denoted by {Ek}, so that 
Eq. (3) holds, and U is the unitary map that satisfies 

\.fj)^U\e,), 
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then the required measurement on Alice's system is the one associated with the POVM 
{UE'^W}'^^^, where _Ej denotes the transpose of Ek with respect to the basis of eigenvectors 
of p (note that this POVM need only be defined over the support of Tr^ (IV') (V"!))- The proof 
is as follows. 

The entangled state Alice and Bob share can be written in terms of U as 



iV') = E^f^i^j) 



Upon measuring the POVM {UEj^W} on her system and obtaining outcome fc, the projection 
postulate for POVMs dictates that Alice should describe Bob's system by the unnormalized 
state 



TrAUuElUf\i;){M^JuEluA = (^ V^l^^") (^^1 )^^(E V^ 



j' 

= Qkf^k- 

So after this measurement, with probability qk Alice updates the density operator with which 
she describes Bob's system to (Tk- 

It is also easy to show that the statistics of possible updates are given by some convex 
decomposition of p for every measurement Alice can do. This follows from the fact that every 
POVM can be written in the form {UE^U^} for some choice of {Ek} given a particular U. □ 

When Alice entangles the system she submits to Bob with a system she keeps in her 
possession in such a way that Bob's reduced density operator is p, we shall say that Alice 
submits p to Bob. When Alice performs a measurement that leads to her statistics of possible 
updates being given by the convex decomposition {{qk,'^k)} of p, we shall say that Alice 
realizes this decomposition on Bob's system. 

4. The nature of the optimization problem 

In section 2.4, we formulated the problem of determining the optimal cheat strategy for 
Alice as a variational problem over the entangled state that she initially prepares and the 
measurements she performs on her half of the system. However, from the results of section 3.3 
it is clear that in determining Alice's probability of unveiling the bit of her choosing, all that 
is important about the entangled state she prepares is the reduced density operator p she 
submits to Bob, and all that is important about the measurement she performs is the convex 
decomposition of p that she thereby realizes. It suffices therefore to vary over p and its convex 
decompositions. 

We begin by showing that if Alice is attempting to unveil a bit b then it suffices for her to 
realize a convex decomposition with a number of elements less than or equal to ni,. The proof 
is as follows. Suppose Alice realizes a convex decomposition {{(jj,o'j)} -^^ with a number of 
elements n' that is greater than rib- She still must announce to Bob an index between 1 and 
nf,, so that the elements of this decomposition must be grouped into nt sets, where elements in 
the fcth set, Sk, correspond to announcing the index k to Bob. When Alice announces index 
k, Bob will measure the projector |V'fc)(V'fe| and obtain a positive result with probability 
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Sie5 ?j (V'fe ^j V'fe) ■ However, there is always an nf,-elenient convex decomposition that 
yields the same probability of a positive result as the one considered here; specifically, the 
decomposition {{qk,crk)}l'Li with qkcrt = J2jeSk ^o^o- 

The probability of Alice succeeding at unveiling the bit h given that she submits p and 
realizes an nf,-element convex decomposition {{qk, "'fe)}*;!! of P is 



fe=l 



Pub^y,qk{^l\ak\^l). (4) 



Thus, if Alice submits p and realizes the convex decompositions {(9^1 f^)}... and \\qkT^k)) k-^ 
to unveil bit values of and 1 respectively, then if she is equally likely to wish to unveil as 
1 (as we are assuming in this paper), her probability of unveiling the bit of her choosing is 

Pu = \Pm + \Pui 

-, 1 "6 

6=0 fe=i 

The task is to maximize Pu with respect to variations in p, {(^fei '^fejji—i ^^^ {('?*:' "^fejjt-i 
subject to the constraint that p = X^fcli Ik^k = Sfcli ll^l- 

It is useful to divide this optimization problem into two steps. In the first step one 
determines, for an arbitrary but fixed p, the rib-element convex decomposition of p that 
maximizes the probability Put of Alice unveiling the bit b. Given this solution, the probability 
Pjj of Alice unveiling the bit of her choosing can be expressed entirely in terms of the submitted 
p. In the second step one determines the p that maximizes Pu- 

5. Results for general protocols 

5.1. The connection to state estimation 

We will show that the problem of optimizing the choice of convex decomposition for an 
arbitrary but fixed density operator has an intimate connection to the problem of optimal 
state estimation. As discussed in section 3.2, for every convex decomposition {{qk, Cfc)} there 
exists a POVM {Ek} , defined over the support of p, that generates this decomposition as in 
Eq. (3). Thus, Eq. (4) can be written as 



Pub = J2(^k\vpEk^\i^i) 



fc=i 

A set of normalized states {Xfe} ^^nd probabilities {w^} can be defined in terms of p and {ip^} 
as follows: 

\xi) - ^^tlL, (6) 
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In terms of these, Pjjb has the form 



Pub^cY,^l{xi\Ek\xi), 



k=\ 

whereC = Efc(V'^|p|V'^)- 

We now recall [2] the problem of estimating the state of a system that is known to have 
been prepared in one of n\, states {x^} with prior probabilities \w\^. The most general type 
of measurement is a POVM measurement, and it suffices to consider POVMs that have n\, 
elements (this is established by an argument exactly analogous to the one provided above for 
the sufficiency of nfc-element decompositions in optmizing over coherent attacks). For a mea- 
surement of the POVM {-Efc}, the probability of estimating correctly is X]fe=i ^fe (Xfe| ^fe |Xfe) ■ 

The connection between our problem and the state estimation problem is now clear. If 
{Xfe} Etnd \yj\) are defined by Eqs. (6) and (7), and \Ek\ is defined by (3), then the following 
relation holds. The probability of unveiling a bit 6, associated with a set of states {V'fc} j 
when Bob's reduced density operator is p, given that Alice's strategy consists of realizing an 
rib-element convex decomposition {((/fe, iJfc)} of p, is a constant multiple of the probability of 
correctly estimating the state of a system, known to be prepared in one of Uh states {x^} 
with prior probabilities {w^}, given a measurement of the POVM \Ek\- 

So, if one has the solution to the problem of finding the POVM that maximizes the 
probability of correctly estimating the state of a system from among a set of pure states, then 
one also has the solution to the problem of finding the convex decomposition of p that Alice 
should realize to maximize her probability of passing Bob's test. There is a duality between 
these two information theoretic tasks. 

This result is very useful since it connects a task about which very little is known to one 
about which a great deal is known. In particular, one is able to infer some general features of 
the optimal cheat strategy by appealing to some well-known theorems on state estimation. 

One such feature is that if the {V'fc} are linearly independent, and the support of p is the 
span of the {V'fc} : then the optimal convex decomposition of p is an extremal decomposition. 
The proof is as follows. If the {V'fe} ^I'c linearly independent and span the support of p, then 
the {xfc} &i'6 linearly independent. It is well known that in estimating a state drawn from a 
set of linearly independent states, the optimal POVM has elements of rank 1 [2]. The convex 
decomposition that is associated with such a POVM has elements that are pure states, i.e., 
it is extremal. 

5.2. The support of the optimal density operator 

We now turn to the problem of determining the optimal density operator for Alice to submit 
to Bob. We begin by showing that although Alice could cheat by submitting a system with 
more degrees of freedom than the honest protocol specifies, she gains no advantage by doing 
so. In other words, the optimal p has a support that is equal to or a subspace of the span of 
{^fc}fc-i ^ {'^1} k-i ■ ^^ estabfish this by showing that for any p* that has support strictly 
greater than this span, there is a p that has support that is equal to or a subspace of this 
span and that yields a greater value of Pu. Suppose the optimal convex decomposition of p* 
for unveiling bit b is denoted {{qt* ^'^t*)} h-i " "^^^ maximum probability of Alice unveiling 



R. W. Spekkens and T. Rudolph 13 

the bit of her choosing using p* is then 

, 1 rib 
fc=0 fe=l 

However, if AUce submits the density operator 

p^Gp*G/Ti{p*G), 

where G is the projector onto the span of {'>Pk}k—^ ^ l^fc/t'-i ' ^"^^ reaUzes the convex 
decomposition {{qi,(Tl)}ll^ defined by qjjcrjj = G<?f erf G/Tr (p*G) , then her probability of 
unveihng whatever bit she desires is 

Pu{p)^pr^{p*)nHp*G). 

Since Tr (p*G) < 1, it follows that Pu (p) > P^""^ (p*) ■ 

5.3. Conditions for unveiling with certainty 

Finally, we consider the question of whether, for a particular protocol, Alice can unveil the bit 
of her choosing with certainty. The necessary and sufficient condition for there to be a strategy 
that makes Pub = 1 for a given b, is that p is decomposed by the set of states {'ipt} k-^' ^^^^ 
is, there must exist a probability distribution {ikji-^ such that {{q'j^, "0^) (V'fc )}i.li forms 
a convex decomposition of p. The necessary and sufficient condition for there to be a strategy 
that makes Pu = lis that there exists a p that is decomposed by both {i't} k=i ^^^ l^felfeli- 
In the terminology of section 3.1, {i't} k"-i ^^"^ l^felfe-i ™ust be composably coincident. 

The results described in this section constitute all that we shall say about the optimal 
cheat strategy for an arbitrary protocol. For the rest of this paper, we shall restrict ourselves 
to the special case of sets {'fpk} tLi ^^'^ {''(^1} k=i '^-'^ose union span at most a two dimensional 
Hilbert space, that is, protocols that can be implemented using a single qubit. 

6. Results for qubit protocols 

6.1. The Bloch ball representation 

Our optimization problem is greatly simplified in the case of a 2D Hilbert space since there 
is a one-to-one mapping between the set of all density operators in such a space and the set 
of all points within the unit ball of M? . For clarity, we begin by reminding the reader about 
the details of this mapping. 

If one defines an inner product between operators A and B by Tr (A'^B) , the set of oper- 
ators over a Hilbert space forms an inner product space. In a 2d Hilbert space, a particularly 
convenient orthogonal basis for the set of operators is the set of Pauli operators {ax, cry, (Tz, I}, 
with matrix representations in the {|0) , |1)} basis of 
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Any operator A can therefore be written a,s A ~ ^ {aol + a ■ a) where ff— {(Jx,<^y,<^z) and 
a = (ux, ay,az) , with ao,ax,ay,az G C^. In particular, for a density operator p, the constraints 
of unit trace (Tr(p) = 1) and positivity (det {p) > 0) imply that 

where r e M'' and \r\ < 1. 

Thus we see that every density operator is represented by a vector f within the unit ball of 
M.'^, which we shall refer to as the Bloch ball.® 

Density operators describing pure states are characterized by a vanishing determinant 
which corresponds to a vector of unit length, |r| = 1, which we shall sometimes denote by f. 
Thus, pure states are represented by the points on the surface of the ball. The completely 
mixed state, p = ■^I, is represented by r = 0, which is the point at the centre of the ball. 
If two density operators pi and p2 are represented by vectors fi and r2, the inner product 
between pi and p2 is given by Tr {P1P2) = 5 (1 + n. • ^2) • It follows that orthogonal states are 
represented by antipodal points, since Tr{pip2) — implies ri • r 2 = ^ 1- 

We are now in a position to obtain a representation on the Bloch ball of all the density 
operators that can be formed by convex combination of a particular set of elements {cfc}^^i , 
that is, all the p that have the form 

n 

p = ^ qko-k 

k=l 

for some probability distribution {qk}k=i- Since the set of density operators that can be 
formed by an arbitrary set of elements {(Tk}k=i is the same as the set that can be formed by 
an uncontractable set of elements from which all the states in {(yk}k=i can be built up by 
convex combination, it suffices to consider only uncontractable sets of elements. 

Denoting the Bloch vectors associated with p and cFk by r and Sk respectively, it is easy 
to see that the relevant set is given by 

n n 

f = ^ qkSk, where < gfe < 1, y^ gfc = 1. 
fc=i fe=i 

To understand what this manifold of points looks like, consider the simplest case of n = 2. 
The above equation can then be written as 

f = si + \ {s2 — si) , where < A < 1. 

This is simply the parametric equation for a segment of a straight line extending between si 
and 5*2 • Similarly, in the case of n = 3, we have 

f = si + A (s2 - si) + C (s3 - S2) , 

where < A < 1 and < ^ < X. Since cri, (72 and (73 were assumed to form an uncontractable 
set of elements, Si, S2 and S3 cannot lie on a line, and therefore define the vertices of a triangle. 

^The surface of the ball is usually referred to as the Bloch sphere or the Rieinann sphere in the context of 
spins, and the Poincare sphere in the context of photon polarization. 
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The above equation is the parametric equation for the surface of points inside this triangle. 
For n — 4, wc have 

f = Sl + A (S2 - Sl) + ^ (S3 - S2) + C (S4 - S3) , 

where 0<A<1,0<^<A and < C !i C- Again, since cri, cr2, o's and a^ were assumed to 
form an uncontractable set of elements, none of si, 5*2, S3 or 5*4 can lie along the line segment 
defined by any other two, nor inside the surface of the triangle defined by any other three, and 
thus these vectors define the vertices of either a convex quadrilateral or a tetrahedron. The 
above equation is the parametric equation for the surface of points inside this quadrilateral, 
or the volume of points inside this tetrahedron. Similarly, for greater than 4 uncontractable 
elements, we obtain the parametric equation for the points inside an n-vertex convex polygon 
or convex polyhedron. All told, in the case of a set of n uncontractable elements, the set of 
density operators that can be composed from these will be represented by the region inside 
an n-vertex convex polytope. A few different sets of states and the density operators that can 
be composed from them are depicted in Fig. 1. 




Fig. 1. A depiction of three sets of states containing 2, 3 and 4 elements respectively. The points 
in the Bloch ball representing these states are indicated by small black spheres. The manifolds 
inside the line segment, triangle and tetrahedron that are defined by each set of points represent 
all the density operators that can be composed with each set of states. 

It is now easy to see the solution to a complementary problem, namely, how to obtain a 
representation on the Bloch ball of all the uncontractable convex decompositions of a particu- 
lar density operator p. If p is represented by the point r, then every n-element uncontractable 
convex decomposition of p is represented by an n-vertex convex polytope which contains r. 
For instance, every 2-element uncontractable convex decomposition of p is represented by a 
line segment that contains r; every 3-element uncontractable convex decomposition of p is 
represented by a triangle that contains r, and so forth. In Fig. 2, we illustrate a few of the 
convex decompositions of a fixed density operator. 

Of particular interest to us in the present context are extremal convex decompositions 
of a density operator p (which are always uncontractable). Since pure states are associated 
with unit Bloch vectors, the convex polytopes associated with such decompositions have their 
vertices on the surface of the Bloch ball. Fig. 2 provides an example of this distinction. 
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Fig. 2. An illustration of three convex decompositions of a fixed density operator, two of which 
are 2-element decompositions, and one of which is a 3-element decomposition. The point in the 
Bloch ball representing the density operator is indicated with a large black sphere. Each convex 
decomposition is represented by a polytope containing the point representing the density operator, 
the vertices of which represent the elements of the decomposition. These are indicated in grey. 
The longer of the two line segments, which has its vertices on the surface of the Bloch ball, is an 
example of an extremal convex decomposition. 



6.2. The conditions under which Alice can unveil the bit of her choosing with 
certainty 

In section 5.3 it was pointed out that a strategy with Pm, = 1 exists if and only if p is 
decomposed by the states {V'fc} • The Bloch ball representation gives a simple way of testing 
whether this condition is satisfied for protocols restricted to a 2D Hilbert space. It suffices to 
plot the convex polytope whose vertices are the points representing the {V'fcl ^nd to determine 
whether the point representing p is contained in this polytope or not. If it is, then Alice can 
unveil bit b with certainty. If it is not, then she cannot. An example of the two possibilities 
is provided in Fig. 3. 




Fig. 3. A depiction of a fixed density operator and two sets of states, the lower of which 
decomposes the density operator and the uppermost of which does not. 



More importantly, we can now answer the question of whether there exists a strategy for 
Alice with Pjj = 1 for protocols restricted to a 2D Hilbert space. As pointed out in section 5.3 
this only occurs if the two sets of states are composably coincident. It is clear now how to 
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verify whether this is the case or not. Simply plot the convex polytopes associated with both 
sets of states, and determine whether they intersect one another or not. If they do, then any 
point inside the region of intersection corresponds to a density operator that is decomposed 
by both sets and consequently lets Alice unveil the bit of her choosing with probability 1. If 
they do not, then this probability is strictly less than 1. 

The convex polytopes associated with the sets of states used in the BB84 BC protocol 
are depicted in Fig. 4. Since these cross at the origin, it follows that if Alice submits to Bob 
the completely mixed state, she can achieve Pu = 1. So we simply have a restatement of the 
fact that if Alice initially prepares a maximally entangled state, such as the EPR state, and 
submits half to Bob, then she can achieve Pu = 1. The protocols we shall consider in the 
rest of this paper are associated with non-intersecting convex polytopes. See Figs. 6-10 for 
examples. 




Fig. 4. The Bloch ball representation of the BB84 BC protocol. Since the polytopes representing 
the sets of states defined by the protocol intersect, Alice can submit the density operator associated 
with their intersection to make her probability of unveiling whatever bit she desires equal to unity. 



6.3. Optimizing over the convex decompositions of an arbitrary hut fixed density 
operator 

We now turn to the problem of determining the optimal EPR cheating strategy for a qubit 
protocol. We do not solve this problem completely; rather, we solve it under the further 
restriction that each set contains only linearly independent states. In the present 2D context, 
linear independence implies that each set can have no more than two elements. 

As discussed in section 4, it is useful to split the problem into two parts involving op- 
timization over convex decompositions of an arbitrary but fixed density operator, followed 
by optimization over density operators. We address these two parts of the problem in this 
section and the next section respectively. 

We begin with the problem of maximizing the probability, Pf/b, that Alice can unveil the 
bit h given that she submitted a density operator p. This maximum must be found with respect 
to variations in the convex decomposition of p that she realizes. The optimal decomposition 
will depend on p and the states in the set {^^}. In order to simplify the notation in this 
section, we drop the index h from w\) and Ub- We also assume that p is impure, since 
otherwise there is no optimization problem to be solved. 
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6.3.1. A set containing one element {n = 1) 

In this case, Bob's test is fixed (he always measures the projector onto |^i)), so the 
probability of passing this test depends only on p and not on the convex decomposition of p 
that Alice realizes. Thus, there is no optimization over decompositions to be performed in 
this case. 

6.3.2. A set containing two elements {n = 2) 

Let the Bloch vectors associated with lip^) and p be denoted by d^ and f respectively, 
and let those associated with the elements, ak, of the two-element convex decomposition 
{{Qk,<^k)}k=i that Alice realizes be denoted by Sk- In terms of these, Alice's probability of 
passing Bob's test, specified by Eq. (4), has the following form 



-Pt/b = ^ I 1 + V % (dfe • Sk) ] . (9) 




We must maximize this subject to the constraint that f= ^j, qkSk- 
We find that the optimal convex decomposition of r is given by 



^opt _ 



r + L+{r)d, 
)pt 

and 



S2°P' - f+L^ir)d, (10) 



r • s 
where 



opt _ 1 1-kf ^l^ 

Ik ~ 2 1 - - . ?°P* 



L±{r)^-f-d±\/l-\r^^ + (f-dY, (12) 



and 

t 0,1-0.2 



\ai - a2| 

^opt I I ^opt I 



(13) 



Note that s\ = S2 =1, which means that this is an extremal convex decomposition. 
The proof of optimality is presented in Appendix A. 

This solution has a very simple geometrical description. It is the convex decomposition 
that is represented by the chord (line segment whose endpoints lie on the surface of the ball) 
that contains r and that is parallel to the chord defined by Si, 02. An example is presented 
in Fig. 5. 

The corresponding probability of passing Bob's test is simply 



Pl^r = l[^+[r + L+{7^d)-d^ 



In Hilbert space language. 



^^r = ^((^iipi'/^i) + (^2ipiV'2)) 



-^2 (1 - Tr(p2)) |(^i|^2)|' + ((^iIpIV-i) - {HplHf. 
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Fig. 5. An illustration of the optimal convex decomposition for Alice to realize when she has 
submitted to Bob a fixed density operator (indicated by the large black sphere) and is attempting 
to convince him that he has one of two states (indicated by the small black spheres). This is 
represented by the chord(indicated in grey) that is parallel to the chord defined by the two states. 
After Alice realizes this decomposition (by making a measurement on the system that is entangled 
with Bob's), she updates her description of Bob's system to whichever of the elements it happened 
to be collapsed to(indicated by the grey spheres). When it comes time for Alice to announce to 
Bob which of the two states he should test for to verify her honesty, she announces the state which 
has the smallest angular separation from the element of the decomposition onto which she has 
collapsed his system. 



6.4. Optimizing over density operators 

We now consider the problem of determining the optimal density operator for Alice to submit 
to Bob in order to maximize her probability of unveiling the bit of her choosing. The solution 
will depend on the values of hq and ni . Given that we are assuming that the states in the sets 
I'^k) k■°-^ ^^'^ {^k}k-^ ^^^ linearly independent, there are only three possibilities to address: 
both sets contain two elements; one set contains two elements and the other contains one 
element; both sets contain one element. We shall consider each of these in turn. 



6.4.1. Both sets contain two elements (ng = ni = 2) 

Denote the Bloch vector associated with the state lipl) by a^. The result of the previous 
section indicates that whatever the optimal f is, the optimal convex decomposition for un- 
veiling bit b is represented by the chord passing through f parallel to the chord defined by 
We therefore have that Alice's probability of unveiling the bit of her choosing given 



at a'' 



17 "^2 ■ 



an arbitrary f and given that when she attempts to unveil the bit b she realizes the convex 
decomposition of r that is optimal for doing so, is simply 



Pr, 



t- 

fc=0 



1+ (f+Lb+ir)db 



a6 



(14) 



where dh 



and 



Lb+ (r^ = -r- db + \ 1- H" +[f-db 



It will be convenient to adopt the convention that the states in the protocol are indexed 
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in such a way that (V'llV'i) = niax^.^' (V'fclV'fc') ■ In terms of the Bloch ball, the convention 
states that if one draws the chords defined by d^, 0.2 ^^^ 0,1 ? 0-27 the endpoints dl and a\ have 
the smallest separation. 

We consider two cases. 

Case 1: The chords defined by 0.1,0.2 and a}, 03 are parallel. 

In this case do ~ di and there are a family of optimal r's satisfying the parametric equation 



<opt _ 



Adn, for < A < 2- 



• dn. 



(15) 



This family corresponds to the points on the chord of the Bloch ball that is parallel to the 
chord defined by d?, 0° (or d}, dj) and that passes through the point on the surface of the ball 
that is equidistant between d^ and d}. This is illustrated in Fig. 7. 

Case 2: The chords defined by d°, dj and d}, d^ are not parallel. 

In this case, the optimal r is unique and is given by 



^-opt 



^max jj: I ^ max I ^ ^ 

i°n "ii otherwise 

d«+a\ 



(16) 



where 
Here 



/^max _ ^max^± , ^max^± , max - 



max 
Xq 



max 
X2 



-d}.dYy'i-(4°-)^ 



71 



aO J±, /i /__rnax\2 



70 



(17) 



d'l-d^^^i-ixr^y 

(d° + d}) -h 



(18) 



where 76 = y 1 — {d\ ■ fij and where 



n = da X di, 
df^ = d}j X fi, 



f.b\ 



(19) 



Thus, the solution has one of two forms depending on whether the condition 



holds or not. If it does not hold, then r °p* = (d^ 



i})/|d? 



ix| < I 

, which is simply the point 
on the surface of the Bloch ball that is equidistant between d? and d\ along the geodesic which 
connects them (recall that in our labelling convention d\ and d} are the closest endpoints of 
the chords defined by d?, dj and d}, dj). Fig. 6 provides an example of a BC protocol where 
this is the case. If the condition |r ™'''^| < 1 does hold, then r °p* = fxnax ^ ^^ ^jj]^ ^^^ attempt 
to provide a geometrical description of this point in the general case, however Figs. 4 and 9 
provide simple examples of BC protocols where |r™'''^| < 1. 
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Fig. 6. A BC protocol where the two sets of states are represented by chords that He in a plane, 
but which do not intersect inside the Bloch ball. The optimal density operator is represented 
by the point that lies equidistant between the two closest chord cndpoints on the geodesic which 
connects them. 



In situations having a high degree of symmetry, one can easily deduce some of the features 
of r °P*. We present a few such cases. 

Case 2.1: If the chord defined by a? and 02 and the chord defined by a\ and a\ he in a 
plane, then r™^^ is the point of intersection of the lines containing these chords. If this point 
falls inside the Bloch ball (|7^™ax| <- j^-j^ then it represents the optimal density operator. This 
confirms the results of section 5.3. The BB84 BC protocol, illustrated in Fig. 4, is an instance 
of such a case. If the point of intersection falls outside the Bloch ball (|r ™ax| > 1)^ then the 
optimal density operator is as described above. The BC protocol that is illustrated in Fig. 6 
is an instance of such a case. 

Case 2.2: If the chord defined by a\ and a^ and the chord defined by a\ and a\ both 
pass through the n axis, then r °p* lies along this axis. 

Case 2.3: If the chord defined by a\ and a^ and the chord defined by a\ and a\ are 
parallel to, equidistant from, and on either side of the equatorial plane perpendicular to n, 
then r °P* lies in that plane. 

If the conditions of cases 2.2 and 2.3 both hold, then r °p* lies at the centre of the Bloch 
ball. This corresponds to Alice submitting the completely mixed state. An example of such 
a protocol is provided in Fig. 9. Although in the example of this figure the two chords point 
in orthogonal directions, this is not necessary, it is only necessary that they not be parallel. 

The proofs of the results of this section are presented in Appendix B. 



6.4.2. One set contains one element and one set contains two elements (no — l^ni — 2) 

We now assume that one of the sets {i'k} k-i ^^^^ {^k} u--, has only a single element while 
the other has two. Without loss of generality we may assume that the single element set is 
the 6 = set, and we denote its unique element by '0'') . So in order to unveil a bit value of 
1 Alice can announce cither fc = 1 or fc = 2 and must then pass Bob's test for hAfc) i while to 
unveil a bit value of Alice has no choice but to pass a test for the state 1^''^) • 

We first consider the case where (V'^lV'i) = (V'°IV'2) • This corresponds to case 1 of sec- 
tion 6.4.1 in the limit that dj and 0.2 converge to a single point d*^ representing 1/;'') . There 
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is a family of optimal solutions of the form 



i'opt 



Xdi, for 0< A< 2. 



This family corresponds to the points on the chord of the Bloch ball that is parallel to the 
chord defined by a} , 0,2 and that passes through the point on the surface of the ball that is 
equidistant between aP and d\. The BC protocol illustrated in Fig. 10 is an example of this 
case. The case {^^\ipl) ^ (V''^l^2) corresponds to case 2 of section 6.4.1 in the limit that off 



and 0,2 converge to the point cfi. In this limit, we find that 



> 1. Consequently, 



?opt 



6.4.3. Both sets contain one element {uq = l,ni = 1) 

We now assume there is only a single element in both of the sets, and denote each of these 
states by li/;'') . Thus to unveil a bit value of b Alice must pass Bob's test for li/''') . Consider 
first the possibility that \^^) and \tp^} are orthogonal. In this case, no matter what p Alice 
submits, her probability of unveiling either bit is strictly 1/2. 

When |'!/;°) and \i^^) are not orthogonal, the situation corresponds to case 2 of section 6.4.1, 
in the limit that a\ and Oj converge to a single point a^ for both values of b. In this limit we 
again find |r ™'*'^| > 1. Consequently, 



*opt _ 



aO+fli 



An example is presented in Fig. 8. 




Fig. 7. An illustration of a BC protocol of the form proposed by Aharonov et al. [11]. The two 
sets of states are given by Eq. (20) with 9 = 7r/8. There is a family of optimal density operators 
lying along the chord indicated in grey. 



7. Applications of the results 

These results can be applied to the generalized BB84 BC protocol proposed by Aharonov et 
al. [11]. The protocol is defined by the following states, from which an honest Alice chooses 
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uniformly 

1^1) - \n/2-9),\yjl)^\TT/2 + 9), (20) 

where 16*) = cos9 |0) + sin9 |1) and 9 is some fixed angle satisfying < 6* < |-. The sets of 
states associated with bits and 1 describe parallel chords on the Bloch ball, as depicted in 
Fig. 7. We therefore have an instance of case 1 of section 6.4.1. It follows that an optimal 
strategy for Alice is to simply submit |+) = 4= (|0) + |1)) and tell Bob to test for |V'i)i where 
6 is the bit she wishes to unveil. Another is to submit |— ) — -y= (|0) — |1)) and to tell Bob 
to test for '02) • So Alice does not need to make use of entanglement in this case. The most 
general optimal strategy is for Alice to submit p ^ w |+) (+| + (1 — w) |— ) (— | , realize the 
convex decomposition {{w, |+) (+|) , ((1 — w), |— ) (— |)} , and tell Bob to test for |V'i) (IV'2)) 
upon obtaining the outcome |+) (|— )) . Alice's maximum probability of unveiling whatever 
bit she desires is 

P^^^^ = i(l + sin26'). 

Previously, the best known upper bound on this probability was 

Pu<l{i + ^,{VTT^^^^^9-i 

as can be inferred from the results in section 5 of Rcf. [11]. In the case oi 9 = 7r/8, we find 
pmax ^1^1^^ 85355, while the previous best bound was Pu < ^%^ ~ .91421. 

We can now compare this with Bob's maximal probability of estimating Alice's com- 
mitment correctly. If Alice follows the honest protocol for committing a bit 6, she chooses 
uniformly between lipi) and U/jj) and submits a system in this state. Bob must therefore 
discriminate between density operators po ^nd pi defined by pb — k'l2k=i r/'fc) {^k\ ■ His 
maximum probability of doing so is given by Eq. (1), in this case, 

P]^a^= i(l + cos26l). 

It is worth noting that the quantity iTr|po~Pi| appearing in Eq. (1) is simply half the 
Euclidean distance between the points in the Bloch ball representing po and pi. 

^From the above expression for p™^^ and P^£^^, we can conclude that there is a trade-off 
between these quantities of the form 

(pmax _ ^I2f + (P]^"^'^ - 1/2)2 ^ ^1^^ ^21) 

At = 0, P^^^ = 1 and p^^^ — 1/2, so that there is no concealment against Bob, but perfect 
bindingness against Alice (since P™^^ — 1/2 for an honest Ahce). At 6* = 7r/4, P'^^'^ = 1/2 
and P™^^ = 1, so that the roles of Alice and Bob are reversed. The only choice of 9 leading 
to a 'fair' protocol is 6* == tt/B. In this case, Pf ^=^ = P^^'' = ^ + ^73- 

Our results also imply that the same trade-off between p™^'' and p™'*'^ can be achieved 
with the most simple imaginable BC protocol, namely one wherein Alice submits to Bob one 
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Fig. 8. An illustration of a BC protocol of the form specified in Eq. (22), with 7 = 7r/4. 
The optimal density operator is indicated by the large black sphere. BC protocols of this form 
achieve the same trade-off between concealment and bindingness as those of the form proposed by 
Aharonov et al. 



of two non-orthogonal states. Specifically, to commit a bit 6, an honest Alice sends Bob a 
qubit in the state h/; ) j where 






|0), 

17), 



(22) 



where 7 is some fixed angle satisfying < 7 < 7r/2. An example of this protocol is illustrated 
in Fig. 8. This is an instance where tlq — 1 and rii = f , which was considered in section 6.4.3. 
One can infer from the results of that section that Alice's optimal strategy is to submit the 
state I7/2) and to announce whatever bit she wishes to unveil. It is straightforward to verify 
that this protocol has the same properties as the one described above. 

It is easy to understand the equivalence of these protocols geometrically, p™^^ is pro- 
portional to the cosine of the angular separation of the endpoints of the polytopes (chords 
or points) representing the sets of states an honest Alice chooses from. Meanwhile, p™^'^ is 
proportional to the Euclidean distance between the midpoints of these polytopes. It is easy 
to see from Figs. 7 and 8 that if the endpoints have the same angular separation, then the 
midpoints have the same Euclidean separation. 

Interestingly, it turns out that any protocol satisfying the conditions of cases 2.2 and 2.3 
of section 6.4.1 also yields exactly the same trade-off between p™^'^ and P^'^^. Specifically, 
one can use any protocol of the form 



l^i) 



|0,O), 1^0) = 1-0,0), 
\n/2~e,^),\^l)^\n/2- 



(23) 



where 



cos 9 I 



- e*'^sin6' |1) and 6 and cf) are fixed angles satisfying < 6* < j, < 
(j> < tt/2. Fig. 9 depicts an example of such a protocol. Geometrically, P^'^^ is no longer given 
by the angle between the endpoints of the two polytopes representing the states an honest 
Alice chooses from but rather the angle between the endpoints of these polytopes and the 
closest endpoints of the polytopes representing the elements of the convex decomposition that 
Alice realizes. This ensures that p™^'^ is the same as for the protocols discussed above. The 
only difference is that Alice's optimal strategy in this case requires the use of entanglement. 
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Fig. 9. An illustration of a BC protocol of the form specified in Eq. (23), with 8 = 7r/8 and = tt. 
The optimal density operator in this case lies at the origin. Depending on which bit Alice desires 
to unveil, she realizes the convex decomposition parallel to one or the other of the two chords. 



Finally, we consider a protocol wherein there is a single state associated with committing 
a bit but two states associated with committing bit 1, specifically, 






|0), 



m 



(24) 



where a is some fixed angle satisfying < a < ^. An example of this protocol is provided in 
Fig. 10. It is of the form described in section 6.4.2, with (■0°|V'i) — ('0°l'02) • From the results 
of that section, we can infer that there are a family of optimal coherent attacks of the following 
form. Alice submits a density operator of the form p = w \a/2) (a/2| + (l — ui) \—a/2) {—a/2\ . 
If she decides to try to unveil bit 1, she realizes the convex decomposition {{w, \a/2) (a/2|) , 
((1 — w), \—a/2) (— a/2|)}, and upon obtaining the outcome \a/2) (|— q:/2)) tells Bob to test 
for |a) (|— a)) . Alice's maximum probability of unveiling whatever bit she desires in this case 
is 

P-- = i + lcosa. 

Meanwhile, from Eq. (1), we can infer that Bob's maximum probability of correctly estimating 
Alice's commitment is 

P^^"" == - + i sin^ a. 
^ 2 2 

The trade-off between P^^'^ and Pf ^=^ is 



2 ( P^'^'^ 



pinax 



(25) 



A 'fair' protocol has P^"^'' = P]^^^ = i + ^^ ~ . 80902. 

From a comparison of the trade-offs (20) and (25), it is easy to verify that a protocol 
which uses the states (24) achieves, for a given bindingness (a given P^^^), a concealment 
that is greater (and thus a p^^^ that is smaller) than the concealment that can be achieved 
in a protocol using the states (20), (22) or (23). 
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This point is easy to see geometrically. We compare this last protocol with the protocol 
defined by the states (22) for simplicity. From the examples provided in Figs. 8 and 10 it is 
easy to visualize the fact that if the endpoints of the polytopes defined by the two protocols 
have the same angular separation, the midpoints do not have the same Euclidean separation 
- the separation is smaller for a BC protocol defined by the states (24). 

An obvious question to ask at this point is whether the trade-ofF relation of Eq. (25) is 
optimal, in the sense that the concealment against Bob is maximized for a given bindingncss 
against Alice. Elsewhere [8] we show that it is optimal among a certain class of protocols 
(which includes the generalized BB84 protocols) that can be implemented using a single qubit. 
We also show that a better trade-ofF can be achieved with a BC protocol that makes use of a 
qatrit, that is, a three-level system. The protocol we suggest in Ref. [8] is not a generalized 
BB84 BC protocol; however, an equivalent protocol that is of the generalized BB84 form has 
been proposed by Ambainis [18]. 




Fig. 10. An illustration of a BC protocol of the form specified in Eq. (24), with a = 

arccosi (\/5— 1)/2J. There is a family of optimal density operators lying along the chord in- 
dicated in grey. BC protocols of this form achieve a better trade-off between concealment and 
bindingncss than those of the form proposed by Aharonov et al. 



8. Conclusions 

We have formulated the problem of optimizing coherent attacks on Generalized BB84 BC 
protocols in terms of a theorem of Hughston, Jozsa and Wootters. We have found that there 
is a mapping between this problem and one of state estimation. Specifically, we have shown 
that the convex decomposition that is optimal for successfully preparing one of a set of states 
is related in a simple way to the POVM measurement that is optimal for discriminating among 
certain transformations of these states. 

We have identified Alice's optimal coherent attack for a class of generalized BB84 BC 
protocols that can be implemented using a single qubit. From these results we have determined 
the degree of bindingness that can be achieved in the BC protocol proposed by Aharonov et 
al, improving upon the best previous upper bound. This enables us to identify the trade-off 
between the degree of concealment and the degree of bindingness for this protocol. It has also 
led us to identify several qubit protocols that achieve the same trade-off as the proposal of 
Aharonov et al. , as well as a qubit protocol that achieves a better trade-off. 
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In optimizing over Alice's strategies, we have relied on the Bloch ball representation of 
quantum states. This provides a convenient geometrical picture of a coherent attack. Al- 
though this representation can be generalized to higher dimensions [19], it is unlikely that the 
geometrical pictures acheivable in this way will be as intuitive. In any event, there remain 
many questions to be answered even for qubit protocols, for which this approach is likely to 
provide some insight. For instance, one can use it to consider qubit BC protocols that are 
not generalizations of the BB84 BC protocol. 

In another paper [8], we determine the optimal coherent attack in a class of BC protocols 
that is larger than the set of generalized BB84 protocols. However, the problem of determining 
the optimal trade-off between concealment and bindingness from among all BC protocols 
remains open. 

Beyond their relevance to bit commitment, coherent attacks are interesting as an example 
of what might be considered a fundamental task in quantum information processing, namely, 
the preparation of quantum states at a remote location. One can define many variants of this 
task, depending on whether the parties at the two locations are cooperative or adversarial, 
and depending on the available resources, such as the number of classical or quantum bits 
that can be exchanged, and the amount of prior entanglement the parties share. Bennett et 
al. [20] have recently considered remote state preparation in the case of cooperative parties 
who share prior entanglement and a classical channel. In the type of remote state preparation 
we have considered in this paper, the parties are adversarial and although Alice makes use 
of a quantum channel, she does so at a time prior to knowing which state she is supposed to 
prepare. 

It seems to us that the primitive of remote state preparation, construed in its most general 
sense, may be as fundamental as the primitive of state estimation and just as significant for 
the purposes of determining what sorts of information processing tasks can be successfully 
implemented with quantum systems. The mapping discussed above between state estimation 
and the particular type of remote state preparation considered in this paper suggests that 
there may be other connections between these two problems. In future work, we hope to 
explore this analogy in more detail. 
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Appendix A 

We here provide the proof of optimality of the convex decomposition specified by Eq. (10). 
First, we establish the applicability of Jaynes' rule, defined in Eq. (2), to the probabilities 
in the optimal convex decomposition. This requires showing that the optimal decomposition 
is an extremal decomposition with the number of positively-weighted elements equal to the 
rank of p. 

This is trivial to see for a pure p. We now demonstrate it for an impure p. Because we 
have assumed that the {ipk}k=i *re linearly independent, they span the whole 2D Hilbert 
space, and because p has rank 2, its support is the 2D Hilbert space. Thus, the {V'fc}fe=i are 
linearly independent and have a span that is equal to the support of p, which, as shown in 
section 5.1 by the mapping to the state estimation problem, is sufficient to establish that the 
optimal convex decomposition is an extremal decomposition. It was shown in section 4 that 
the number of positively- weighted elements in the optimal convex decomposition is less than 
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or equal to n. In the present case, n = 2, so this number must be less than or equal to 2. 
However, since p is impure, every convex decompositions of p has at least 2 elements receiving 
non-zero probability. Thus, the number must be precisely 2, which is the rank of p. 

Jaynes' rule provides a formula for the probabilities in a convex decomposition of p in 
terms of p and the elements in the decomposition. In terms of Bloch vectors, it has the form 

1 l-|rf 

Qk 



2 1 - f- Sfe 



where we have written Sk rather than Sk since the elements of the optimal decomposition, 
being pure, can be represented by unit Bloch vectors. Substituting this expression, together 
with the constraint that r — qiSi + q2S2 into Eq. (9), we can write Pub entirely in terms of 

Pub = ■^{'i^ + qiiai ■ si) + {a2-r) -qi{a2- si)) 

1 n , - -\ , 1 /"l n2\ ((«! -0,2) -Si) 



(l + «2-r) + -(l-|rf) 



2 ' ' 4 V ' ' y (1-f -Si) 

Rather than varying this quantity with respect to si, we vary with respect to an unnormalized 
vector si, taking si = Si/ \si\ , where |si| = \/si ■ si. Setting SPe{si) = and making use of 
the fact that 6\si\ ~ S\/si ■ si ~ Ssi ■ si, we find that the optimal si satisfies 

(1 - si • f) (ai - 02) + (si • (fli - 02)) {r- si) = 0. 

By assumption, |r| 7^ 1 (since p is impure). It follows that (1 — si • r) 7^ 0, and (r — si) 7^ 0. 
Since it is also the case that (oi — 02) 7^ 0, we infer that si • (ai — 0,2) 7^ 0. Taking the dot 
product of this equation with ai +02, wc find 

(f- si) • (ai +02) = 0. 

Consequently, the solutions that cxtremize Pjji, are of the form 

sT^ = r + L±{r)d, 

where d is given in Eq. (13). The constraint \s\^\ — 1 implies that L± (f) have the form 
specified in Eq. (12). This result implies that oi • sf^^ ~ 0.2 ■ S2''*, which allows one to simplify 
the expression for Pui, provided in Eq. (9). Plugging s°j.* into the resulting expression yields 

Pub = - (1 + ai • r + L± (r) (ai • d)) . 

Since the coefficient of L± (f) is positive, and _L+ (r) > _L_ (r) , the maximum Pm, occurs for 
sff, while the minimum occurs for §1^. Thus, the optimal §1 given ris 

§1^ = r + L_|- (r) d. 

The constraint r = ^j, qkSk then implies that 

82^ = f+ L_ (r) d. 
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This establishes what wc set out to prove. 

Appendix B 

We here present the proofs of the results of section 6.4.1. 

Proof for case 1. The parallel condition is equivalent to dg = di which implies that 
Lo+ = ii+, so that Eq. (14) becomes 

1 1 



Pa = 2 + 4 {r + Lo+ (r) do) ■ (a? + &{) 



This is maximized for r + Lo+ (r) do = ttJ— tyt, which implies that r °p* can be any vector of 

the form specified in Eq. (15). □ 

Proof for case 2. Starting from Eq. (14) , we extremize Pjj with respect to variations 
in r by setting dPij(f) ~ 0. Using the fact that Sr = 5\/r ■ r = Sr ■ r/r, and 

XT f^\ ( r + Li,+ {r)db \ 

6Lb+ {r) = -\ ■^— — - • Sr, 

\r ■ db + Li,+ (r) J 

we find that the extremal r satisfy 

1 / / ^ \ \ 

,(,\ / f+Lb+ {r)db 



t^\ ^ ^ \r-db + Lb+if}JJ 

We now introduce the notation 

xq ~ r- di , xi = f ■ do , X2 = r ■ n, (B.2) 

where d^, dj- and n are defined in Eq. (19). Making use of the fact that f = ( f • do ) ^o + 
(r- dA 4 + (f • h)n, we have f :+^"+^"\^" ) = do + ^^4, which together with a? = 

V uy u \r-do+Lo+{r) J ^\-x\-x\ 

d]* • do ) c^o + ( f^i • dj- j dff + {a\ ■ n) h yields 



r + Lo+ jr) dp 
f- do + Lo+{f) 



a? - (do • a?) 

(d ■ d"^ 
(d? • d'^) d^ + {d°-n)h- ;_ /_^ ^ (xid^ + X2nj . 

y 1 x-y X2 

An analogous result holds for 6=1. Plugging these expressions into Eq. (B.l) and taking the 
dot product with each of do , di and n, wc obtain the set of equations 



= (d} • d^j Y 1 - a;§ - a^i - (oi ' ^1) ^o, 
= (d? • d^) J I - xj - xl - (d? • do) XI, 



= {{dl + d\)-n)^l-xl-xl^l-xl-xl 

- (d? -do) Y 1 ^ 2;g - 0:2X2 - (d} • di j Y 1 - xf - X2X2. 
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The values of a;o,a;i and X2 that maximize Pu, denoted by xf^^^ , x'f^'^^ and a;™^'^, are easily 
seen to be those given by Eq. (18). These define r "i^'^ through Eq. (17). 

If |r '"^'^l < Ij then it corresponds to the optimal density operator. If |r ™^''| > 1, then 
there is no extremum of Pu inside the Bloch ball and the optimal density operator must be 
represented by a point on the boundary of the ball. Such a point corresponds to a pure state. 
Consequently there is no freedom in the convex decomposition Alice realizes, and all that she 
must decide is what state to tell Bob to test for. If she tells him |^°) when she wishes to 
unveil a bit value of and \ipki) when she wishes to unveil a bit value of 1, then in terms of 
Bloch vectors, her probability of unveiling the bit of her choosing is 

Pu = i(l + f-a°) + i(l + f-4') 

= 2 + J^-{"'k + o-k') 1 

where we write f to emphasize that we are varying over pure density operators. The vector 

f = T— ^ — TT-T clearly maximizes Pjj. In our notational convention, a? and a} are the closest 

[a^+ai, I ■' '^ I i i 

pair of Bloch vectors from the two sets, so Alice should choose fc = fc' = 1. It follows that the 
optimal density operator is represented by the Bloch vector defined in Eq. (16). 

Note that it may occur that 02 and 0,2 are as close to one another as oj and a}, that is, it 
may occur that there is no unique 'closest' pair of Bloch vectors. However, in this case one 
will not find |r '"^'^l > 1. The reason is as follows. If one did find |r ™'*''| > 1, then the optimal 
r would have to be a pure state. However, since the pure states associated with the Bloch 
vectors 1 °^ °} | and 1 °^ °^ | would yield the same Pu, any mixture of these would also yield 

this Pu- This in turn would imply that there existed a solution with |r ™^^| < 1. D 

Proof for case 2.1. Since aj, 03,6} and a^ all lie in a plane, a^ • n is independent of 

b and k. In this case, we find x™'^^ ~ al ■ d^, x™'*'^ ~ a^ ■ dQ and x™^'' = 0° • n. That this 

corresponds to the point of intersection can be verified from the parametric equations for the 

lines containing the two chords. D 

Proof for case 2.2. If the chord defined by a\ and a| passes through the n axis, then it 

must lie in the plane of db and n, so that d\-d^ = 0. It follows that x^^^ = x^^^ = 0, and thus 

-max ^ 2.max^_ gjj^^^, |^max| < ^^ ^g ^^^^ ^^^^ | -max| < ^^ g^ ^-^^j^ -opt ^ -max ^ ^.max^ q 

Proof for case 2.3. The case being considered corresponds to n • (a° -r l^.^ 

must consider the two possibilities |r '"^'^j < 1 and |r '"^'^l > 1. In the former, r ' 

-u -111 Either way, the condition n ■ (a^ + a^) =0 implies that 



a-'+ii 
LLCr T "'"" = T 

^opt . ^ = 0. D 



